Java – how to encrypt the password of jconsole password file
I am using jconsole to access my application MBean and use password Properties file However, according to sun's specifications, this file only contains passwords in clear text format
com. sun. management. jmxremote. password. file = LT; someLocation> /password. properties
Now I want to encrypt the password and use it for JMX user authentication of jconsole (username and password fields in the remote section) I can use any predefined encryption logic or my own encryption algorithm
Does anyone know that any such interception changes the plaintext password to the encrypted password so that the JMX framework also knows the encrypted password?
My current password file:
guest guest admin admin
With encryption, it should look like:
guest ENC(RjqpRYbAOwbAfAEDBdHJ7Q4l/GO5IoJidZctNT5oG64=) admin ENC(psg3EnDei6fVRuqHeLwOqNTgIWkwQTjI2+u2O7MXXWc=)
Solution
You can use management The configuration parameter in the properties file is com sun. management. jmxremote. login. Config (see% java_home% / lib / management / management. Properties) to configure the authenticator and loginmodule to be used
The default values are as follows:
JMXPluggableAuthenticator {
com.sun.jmx.remote.security.FileLoginModule @R_404_1117@;
};
It reads the plain text password file jmxremote password. Because you can reconfigure com sun. jmx. remote. security. JMX pluggableauthenticator uses any loginmodule implementation. You are free to choose an existing loginmodule or implement your own. It uses an encrypted password file
To re implement the fileloginmodule, you should look at the attemptauthentication (Boolean) method, which actually performs authentication, and you may replace it Implement javax security. auth. spi. The loginmodule interface and use the given callbackhandler (which you will get from the init () method) to request a username and password Encrypt / hash the received password and compare it with the password read from the encrypted password file Pseudo code:
public class EncryptedFileLoginModule implements LoginModule {
@Override
public void initialize(Subject subject,CallbackHandler callbackHandler,Map<String,?> sharedState,?> options) {
this.subject = subject;
this.callbackHandler = callbackHandler;
}
public boolean login() throws LoginException {
attemptLogin();
if (username == null || password == null) {
throw new LoginException("Either no username or no password specified");
}
MessageDigest instance = MessageDigest.getInstance("SHA-1");
byte[] raw = new String(password).getBytes();
byte[] crypted = instance.digest(raw);
// TODO: Compare to the one stored locally
if (!authenticated) throw new LoginException();
return true;
}
private void attemptLogin() throws LoginException {
Callback[] callbacks = new Callback[2];
callbacks[0] = new NameCallback("username");
callbacks[1] = new PasswordCallback("password",false);
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
user = new JMXPrincipal(username);
char[] tmpPassword = ((PasswordCallback) callbacks[1]).getpassword();
password = new char[tmpPassword.length];
System.arraycopy(tmpPassword,password,tmpPassword.length);
((PasswordCallback) callbacks[1]).clearPassword();
}
However, since this is already the server side, if you do not enforce it, the password will still be transmitted in plain text to JMX over SSL Therefore, either enforce SSL or use other transport protocol mechanisms to encode credentials and transmit them over wires
In short, relying on the existing authentication mechanism provided by JAAS may be much better For example, if you are running in a local Windows environment, you can easily use ntloginmodule for automatic login But it only applies to local machines
Create the file C: / temp / mysecurity cfg:
MyLoginModule {
com.sun.security.auth.module.NTLoginModule @R_404_1117@ debug=true debugNative=true;
};
Next, configure jmxremote Access file to contain the user name or role you want to grant access to the JMX server:
monitorRole readonly controlRole readwrite ... mhaller readonly
(I recommend enabling debug mode until it works. When users try to log in, you will see all user names, domain names and group names) set the following JVM parameters for your server:
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8686 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Djava.net.preferIPv4Stack=true -Djava.security.auth.login.config=c:/temp/mysecurity.cfg -Dcom.sun.management.jmxremote.login.config=MyLoginModule
Start the application and try to connect using jconsole or visual VM
Note that jconsole, you need to specify a user name and password, although it will not be used Any password and any user name can be used The reason is because jconsole will attempt to authenticate with null username and null password, which is explicitly blocked Visual VM does better by using empty strings when the user does not enter a user name and password
Please also note that ntloginmodule does not work when connecting remotely. I think you must use a more complex login module, but sun has provided enough content:
> com. sun. security. auth. module. Krb5loginmodule: authenticating users using Kerberos Protocol > com sun. security. auth. module. LdapLoginModule
The above is all the contents of Java - how to encrypt the password of jconsole password file collected and sorted out by programming home for you. I hope this article can help you solve the program development problems encountered in Java - how to encrypt the password of jconsole password file.
If you think the content of the programming home website is good, you are welcome to recommend the programming home website to programmers and friends.